Mike West · Aug 22, 2017 · 8:21 PM UTC

Mike West @mikewest

22 Aug 2017

@hadleybeeman @davidbaron @w3ctag Did y'all figure out what you'll be recommending relating to `[SecureContext]`? github.com/w3ctag/design-pri… :)

L. David Baron @dbaron@w3c.social · Aug 23, 2017 · 12:43 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

23 Aug 2017

Thanks for the reminder. I wrote down a strawman proposal to (hopefully) lead to further discussion: github.com/w3ctag/design-pri…

Mike West · Aug 23, 2017 · 3:03 PM UTC

Mike West @mikewest

23 Aug 2017

It's a good start, thanks for getting the conversation going. My hope is that we can end up with something more aggressive. :)

L. David Baron @dbaron@w3c.social · Aug 23, 2017 · 8:21 PM UTC

L. David Baron @dbaron@w3c.social @davidbaron

23 Aug 2017

More aggressive in what respects?

Mike West · Aug 23, 2017 · 8:37 PM UTC

Mike West @mikewest

23 Aug 2017

I'd like to see secure context restrictions as the default stance, with non-secure exposure discouraged and requiring justification.

L. David Baron @dbaron@w3c.social · Aug 23, 2017 · 8:39 PM UTC

L. David Baron @dbaron@w3c.social · Aug 23, 2017 · 8:39 PM UTC

L. David Baron @dbaron@w3c.social @davidbaron

23 Aug 2017

I think I did take that position on defaults, conditional on the new thing being a visibly distinct feature. Could write on justification...

Aug 23, 2017 · 8:39 PM UTC

Mike West · Aug 23, 2017 · 8:41 PM UTC

Mike West @mikewest

23 Aug 2017

"All new APIs should be restricted to secure contexts." would be a stronger intro. :)

Mike West · Aug 23, 2017 · 8:42 PM UTC

Mike West @mikewest

23 Aug 2017

And "When deciding whether a feature should be limited to secure contexts..." positions the restriction as an opt-in needing justification.